Multidimensional Epidemiological Survey Data Aggregation Scheme Based on Personalized Local Differential Privacy

Abstract

In recent years, with the rapid development of intelligent technology, information security and privacy issues have become increasingly prominent. Epidemiological survey data (ESD) research plays a vital role in understanding the laws and trends of disease transmission. However, epidemiological investigations (EI) involve a large amount of privacy-sensitive data which, once leaked, will cause serious harm to individuals and society. Collecting EI data is also a huge task. To solve these problems and meet personalized privacy protection requirements in EIs, we improve the uOUE protocol based on utility-optimized local differential privacy to improve the efficiency and accuracy of data coding. At the same time, aiming at the collection and processing of ESD, a multidimensional epidemiological survey data aggregation scheme based on uOUE is designed. By using Paillier homomorphic encryption and an identity-based signature scheme to further prevent differential attacks and achieve multidimensional data aggregation, the safe, efficient, and accurate aggregation processing of ESD is executed. Through security proof and performance comparison, it is verified that our algorithm meets the requirements of local differential privacy and unbiased estimation. The experimental evaluation results on two data sets show that the algorithm has good practicability and accuracy in ESD collection and provides reliable and effective privacy protection.

1. Introduction

In recent years, various infectious diseases, such as SARS, swine flu, Ebola, novel coronavirus epidemics, and influenza virus, have had a significant impact [1,2]. During these outbreaks, EIs have emerged as a crucial measure to curb their spread. EIs typically involve tracking patients, close contacts, and potential contacts and is conducted by health departments or other organizations. This investigation identifies close contacts based on patients’ basic information and behavior patterns; then, it tracks and screens them and takes the necessary actions in such settings as hospitals, communities, and workplaces [3]. Accordingly, ensuring a timely and accurate EI is vital, with a focus on safeguarding personal privacy and information security.

In analyzing infectious disease transmission, the data used require higher privacy protection compared with general health data. These data encompass the identities, health statuses, and close contact details of epidemiological survey objects (ESOs), which are highly sensitive to data owners. Emergencies intensify the urgency and volume of epidemic investigations, which are often recorded physically, thereby heightening information exposure risks. Information leaks have severe consequences, including repeated privacy breaches, misinformed public opinions, social panic, and potential harm. An excessive or insufficient desensitization of patient information by authorities may also lead to irrelevant data disclosure. Consequently, citizens’ privacy must be prioritized during epidemic investigations, including by employing effective encryption and security measures to prevent sensitive information leaks.

1.1. Related Work

In epidemiological studies, there have been many research efforts on the encryption protection of ESD. Blumenberg C et al. [4] used the REDCap system to explore the advantages and limitations of the electronic data collection environment and solved data inconsistency through real-time reporting and field verification, which is expected to play a role in time-saving and data quality improvement. However, there are shortcomings in its method of detail description, limitation discussion, replicability, and data quality analysis. Dong E et al. [5] introduced the COVID-19 dashboard, which provides real-time epidemic data for the world, and described the data collection process in detail. However, the inconsistency and time delay of the data affects the reliability of the data and the limitations of their application. Sperber A D et al. [6] compared two data collection methods, face-to-face interviews and internet surveys, concluding that the preferences and participation of different audiences may affect the bias of the method. Moreover, these authors did not provide a detailed design and description of the data collection method. In summary, most studies only encrypt ESD themselves, ignoring the privacy protection of non-medical data, and may not be able to fully protect users’ privacy information; their methods cannot be replicated, the limitations are significant, and the data cannot be applied. For data involving correlations, such as influenza status, sending data separately may lead to increased errors and reduce data accuracy and availability. In addition, correlations between non-sensitive attributes and sensitive attributes may result in the disclosure of personally sensitive information. Therefore, when dealing with ESOs, we must consider their relevance and take privacy protection measures to ensure data security and privacy.

Differential privacy (DP) [7,8] is pivotal in balancing individual privacy and data availability, and it can also be used to resist member inference attacks. In 2013, local differential privacy (LDP) [9,10] was proposed as a variant of DP [11]; it inherits its advantages and abandons the dependence on trusted third parties, thus improving the practicality of the model. LDP can add noise to all data and effectively protect data privacy. It has a wide range of applications, including machine learning, network services, data statistics, and optimization. LDP has been widely used in the industry. For example, Apple uses it to protect users’ mobile phone usage data, and Google uses LDP-based components (such as randomized aggregable privacy-preserving ordinal response, RAPPOR) to collect user behavior data. In 2017, Wang et al. [12] proposed a framework to incorporate most LDP protocols into the pure LDP protocol framework to optimize and generalize existing protocols and compared the accuracy and communication cost of different LDP protocols. They also introduced the optimized unary encoding (OUE) protocol with higher accuracy. In addition, the study compared a variety of encoding methods and provided suggestions for selecting protocols. Histogram encoding (HE) and unary encoding (UE) required $O\left(d\right)$ communication costs, and direct encoding (DE) and local hashing (LH) required $O\left(\log d\right)$ or $O\left(\log n\right)$ communication costs ($n$ is the number of users). All protocols except DE estimated the computational cost $O\left(n\cdot d\right)$ of the frequency of all values. When the number of values that users might input is large, UE was an effective coding method, and its communication cost $O\left(d\right)$ was equivalent to that of HE. Therefore, when the user may input the number of values $d>3e^{\epsilon }+2$ and $d<n$, to avoid the high computational cost of DE and LH, the OUE coding mechanism offers improved accuracy and unbiased estimation results. Furthermore, UE, known for its simplicity and intuitiveness, is easy to implement and offers superior performance in terms of computational and communication costs. This made it a more practical choice for adoption in various applications. However, many existing LDP mechanisms often overlook the varying privacy protection requirements of different data in practical scenarios. Consequently, they may increase estimation errors by overprotecting non-sensitive data. Therefore, customizing LDP for specific domains is essential. Some protocols designed for protecting privacy location data, such as Geo-Indistinguishability [13] and Private Drop [14], may not directly suit EI frequency estimation. In addition, some personalized DP protocols may introduce excessive noise or data cuts, affecting data quality. In 2019, to address these issues, Murakami et al. [15] introduced the utility-optimized LDP (ULDP) model to reduce the protection of non-sensitive data according to the privacy requirements of different data, thereby improving data utility and protecting the privacy of sensitive data. However, the current ULDP protocols, such as utility-optimized generalized random response (uGRR) and utility-optimized RAPPOR (uRAP), mainly rely on generalized random response (GRR) and symmetric unary encoding (SUE), and face the challenges of utility and communication cost in the field of big data. In 2022, He et al. [16] proposed the utility-optimized optimized local hashing (uOLH) protocol for big data domains, which aims to achieve low communication costs and high data utility. Nonetheless, it focuses on big data and does not apply to all scenarios, and complex data hashing increases the complexity and cost of implementation. Additionally, Cao et al. [17] devised a frequency estimation mechanism conforming to the set-valued data ULDP model, offering a privacy protection solution for set data. However, its applicability may be limited when dealing with different data types, thereby increasing the complexity and cost of practical implementations. These studies aimed to enhance data utility while addressing privacy concerns. EIs present unique challenges, demanding rigorous data collection and privacy safeguards. Current LDP technology falls short, particularly in terms of data aggregation, analysis efficiency, accuracy, and compatibility with diverse data types. Hence, in-depth research is vital to develop customized protocols for EI that effectively balance data privacy and utilization.

Homomorphic encryption [18], notably the Paillier variant, facilitates calculations on encrypted data, thereby enhancing data privacy. Paillier homomorphic encryption (PHE) [19] permits encrypted data aggregation, ensuring privacy and security while enabling efficient data transmission. In epidemiological survey data collection, it safeguards privacy and also enhances transmission efficiency. This ensures that individual data remain encrypted during sensitive data aggregation and analysis, preventing the exposure of personal sensitive information. Consequently, PHE offers an efficient and dependable solution for data collaboration and privacy protection.

Based on the particularity of data in EI, in the process of LDP perturbation, it is necessary to ensure that ESD do not lose information and that ESD are fully protected for privacy. Based on the existing mechanism, we improve the OUE protocol scheme based on the ULDP protocol to transmit EI data set information, avoid the unified perturbation processing of all data like the traditional LDP method, and use OUE coding to avoid complex data hashing. Increasing the complexity and cost of implementation can achieve lower communication costs and higher data utility in the EI data domain.

Therefore, based on the OUE protocol [12], we improve the utility-optimized OUE (uOUE) protocol that conforms to the ULDP model, aiming to further improve the efficiency and accuracy of data coding. A ULDP scheme based on the uOUE protocol is designed. The uOUE protocol is used to deal with situations in which ESO data contain both sensitive values and non-sensitive values to ensure the security and privacy of data, improve the accuracy of ESD frequency estimation results, and avoid the privacy risks posed to patients’ original data during transmission. In addition, the scheme also uses PHE and identity-based signature schemes to protect data from differential attacks. PHE can aggregate encrypted data in a ciphertext state to ensure data security and privacy. The identity-based signature scheme can digitally sign the user’s ESD to ensure data integrity and source credibility.

Our main contributions are as follows:

• For users’ personalized privacy protection requirements, we improve the uOUE protocol that conforms to the ULDP model based on the OUE mechanism. By proving that the uOUE protocol satisfies the ULDP model and calculating the theoretical variance of the frequency estimation results, the proposed protocol has been deemed to have a low communication cost and high data utility;
• Considering the collection and processing of data in the EI scenario, we design a multidimensional ESD aggregation scheme based on PLDP. This scheme ensures the security and integrity of personal privacy data while maintaining the availability of data and achieves the secure, efficient, and accurate aggregation of ESD;
• Through the comparative analysis of mean square error (MSE) and communication cost with the other five LDP protocols, as well as the experimental results on two data sets, our scheme shows higher practicability and performance in ESD aggregation. In terms of multidimensional data aggregation, the scheme shows strong computing performance and more comprehensive functions and cleverly balances computing efficiency and privacy protection in the ESD aggregation scenario, providing a valuable practical solution for this field.

1.2. Organization

The rest of this paper is organized as follows: Section 2 introduces some preliminary knowledge; Section 3 gives the specific content of the uOUE mechanism; in Section 4, considering the personalized privacy requirements of users in the EI scenario, an ESD aggregation scheme based on uOUE is designed; Section 5 gives the theoretical proof and comparative analysis of the scheme; and finally, Section 6 contains a summary of our results.

2. Preliminary Knowledge

In this section, we will briefly introduce the concepts of utility-optimized local differential privacy (ULDP) and Paillier homomorphic encryption (PHE). Finally, we further introduce the utility evaluation mechanism MSE used in this paper.

2.1. Utility Optimization LDP

ULDP [15] divides the original data set $X$ into sensitive data set $X_S$ and non-sensitive data set $X_N$ and divides the output set into protected data set $Y_S$ and reversible data set $Y_N$. Its formal definition is as follows.

Define 1.

$\left(X_S,Y_S,\epsilon \right)-ULDP$,$\epsilon \ge 0$, for the perturbation mechanism with input domain$X$and output domain$Y$,$M:X\to Y$, if and only if the perturbation mechanism$M$satisfies the following properties, satisfies$\left(X_S,Y_S,\epsilon \right)-ULDP.$

(1)

For any $y\in Y_N$, there is only one:

$$\mathrm{Pr}\left[M\left(x_1\right)=y\right]>0$$

(1)

And for any $x_1\ne x_2$, satisfy the following:

$$\mathrm{Pr}\left[M\left(x_2\right)=y\right]=0$$

(2)

(2)

For any input $x_1, x_2\in X$, obtain any output $y\in Y_S$ and satisfy the following:

$$\mathrm{Pr}\left[M\left(x_1\right)=y\right]\le e^{\epsilon }\mathrm{Pr}\left[M\left(x_2\right)=y\right]$$

(3)

$\epsilon$-LDP guarantees that any attacker cannot infer the exact original input from the output result, and when the privacy budget $\epsilon$ approaches 0, all data in $X$ output the same result with almost the same probability. Since the privacy budget $\epsilon$ controls the degree of privacy protection in LDP, the smaller (or larger) the value, the stronger (or weaker) the privacy guarantee.

2.2. PHE Algorithm

PHE [19] is widely used in many privacy-preserving data aggregation schemes. Suppose $E\left(\cdot \right)$ is an encryption function, $\mathbb{K}$ is an encrypted key, and $a$ and $b$ are two random encrypted messages. The additional homomorphism of the PHE algorithm is shown as follows: $E_{\mathbb{K}}(a)\cdot E_{\mathbb{K}}(b)=E_{\mathbb{K}}(a+b)$. The PHE algorithm consists of three parts: key generation, encryption, and decryption. The detailed process is as follows:

• Key generation: randomly select two large primes $p$ and $q$ and calculate $N=pq$, $\lambda =lcm\left(p-1,q-1\right)$, then select generator $g\in {{\rm Z}}_{N^2}^{\ast }$; let $g$ satisfy $\gcd (L(g^{\lambda }\mathrm{mod}{N}^2),N)=1$, quorum $L\left(\mu \right)=\mu -1/N$. Obtain the public key $PK=\left(N,g\right)$ and private key $SK=\left(\lambda ,\mu \right)$;
• Encryption: for any plaintext $m\in Z_N$, select a random number $r\in Z_N^{\ast }$, and make it satisfy $\gcd \left(r,n\right)=1$. Encrypt to obtain ciphertext: $c=g^m{r}^N\mathrm{mod}{N}^2$;
• Decryption: the plaintext is obtained by the formula: $m=L\left(c^{\lambda }\mathrm{mod}{N}^2\right)\mu \mathrm{mod}N$.

2.3. Utility Evaluation

The MSE is used to evaluate the effectiveness of a protocol and experiment. The MSE can evaluate the degree of data change. The smaller the value of the MSE, the better the accuracy of the prediction model to describe the experimental data. The formal definition of mean square error is shown in (4):

$$MSE\left(\widehat{F}\right)=E\left[{\displaystyle \sum _{i=1}^n\left(F_x-{{\widehat{F}}_x}^2\right)}\right]$$

(4)

$F_x$ represents the real frequency, and $F_x$ represents the estimated frequency.

3. uOUE Mechanism

In this section, we propose a uOUE protocol based on the OUE protocol, which conforms to the ULDP model and protects the privacy of categorical data. Different from the traditional OUE protocol, the uOUE protocol considers the privacy budget and introduces the ULDP mechanism to reduce communication costs and effectively reduce the risk of information leakage while maintaining data accuracy.

3.1. Introduction to uOUE

The uOUE protocol encodes values as binary vectors, matching each data item to candidate values. Privacy perturbation uses vector operations to maintain original data attributes. It treats sensitive and non-sensitive sets differently, applying distinct privacy protection methods. Sensitive data undergo random response interference, and individual candidate values of non-sensitive data are disturbed. Frequency estimation enhances accuracy and utility. This method reduces non-sensitive data protection, improves frequency estimation accuracy, maintains privacy, and enhances data availability.

3.2. Mechanism Description

Participants in the uOUE protocol include three parties: users, servers, and data users. Users hold the original data, encode and perturb them, and send them to the server. The server aggregates and statistically analyzes the perturbation data of all users, estimates the frequency distribution results of all the original data, and finally sends the results to the corresponding data users.

The original data set is recorded as $X=\left\{x_1,x_2,\cdots ,x_{\left|X\right|}\right\}$; the dimension size is $d=\left|X\right|$. Among them, the original data set is divided into two parts: sensitive data set $X_S$ and non-sensitive data set $X_N$. The two do not intersect, that is, $\left|X\right|=\left|X_S\right|+\left|X_N\right|$.

The uOUE scheme is divided into three steps: encoding, perturbation, and aggregation. The specific steps are as follows:

• uOUE encoding

In uOUE, the data are first UE-encoded, that is, the classification data in the user’s hands are encoded as a $d$-bit vector $v$. Each bit corresponds to data in the original data domain. If the user data contain data $k$, let the $k$ bit of $v$ be 1.

Assume that there are $n$ users, and each user holds raw data $x$. To reduce the subsequent communication cost, UE is used to encode it, and the encoding result $v=Encode\left(x\right)$ is obtained. Suppose $\left\{x_1,x_2,\cdots ,x_{\left|X_S\right|}\right\}$ is sensitive data $X_S$ and $\left\{x_{\left|X_S\right|+1},x_{\left|X_S\right|+2},\cdots ,x_{\left|X\right|}\right\}$ is non-sensitive data $X_N$, then the sensitive output is $Y_P=$ $\left\{\left(y_1,y_2,\cdots ,y_{\left|X\right|}\right)\left|y_1,y_2,\cdots ,y_{\left|X\right|}\in \left\{0,1\right\}\right.\right\}$ and the reversible output is $Y_N=X_N$. When $x$ is sensitive data, it will be encoded as data in $\left\{x_1,x_2,\cdots ,x_{\left|X_S\right|}\right\}$, and when $x$ is non-sensitive data, its encoding result is data in $\left\{x_{\left|X_S\right|+1},x_{\left|X_S\right|+2},\cdots ,x_{\left|X\right|}\right\}$.

2.

uOUE perturbation method

Users encode and perturb their original data locally to generate perturbation data $v^{\prime }$. According to sensitivity $x$, $Perturb(v)$ is processed by different perturbation methods. The specific method is to perturb each $v_k$ in $v$ to obtain ${v_k}^{\prime }$, as shown in (5). The processed perturbation data ${v_k}^{\prime }$ will be sent to the server for aggregation and analysis.

$$\mathrm{Pr}\left[v_k^{\prime }\left|v_k\right.\right]=\left\{\begin{array}{ll}\alpha \hfill & v_k=1,{v_k}^{\prime }=1;v_k\in X_S\hfill \\ 1-\alpha \hfill & v_k=1,{v_k}^{\prime }=0;v_k\in X_S\hfill \\ \beta \hfill & v_k=0,{v_k}^{\prime }=1;v_k\in X_S\hfill \\ 1-\beta \hfill & v_k=0,{v_k}^{\prime }=0;v_k\in X_S\hfill \\ \gamma \hfill & v_k=1,{v_k}^{\prime }=1;v_k\in X_N\hfill \\ 1-\gamma \hfill & v_k=1,{v_k}^{\prime }=0;v_k\in X_N\hfill \\ 1\hfill & v_k=0,{v_k}^{\prime }=0;v_k\in X_N\hfill \\ 0\hfill & v_k=0,{v_k}^{\prime }=1;v_k\in X_N\hfill \end{array}\right.$$

(5)

For sensitive data $x$, some probabilities remain unchanged $\alpha =\frac{1}{2}$, $\beta =\frac{1}{1+e^{\epsilon }}$ and probability deflection occurs, as shown in Figure 1 below; for non-sensitive data $x$, the probability of having $\gamma =\frac{e^{\epsilon }-1}{2e^{\epsilon }}$ remains unchanged. If $v_k\in X_N$ and ${v_k}^{\prime }=1$, then the reversible data $v_k$ are output, that is, we can use ${v_k}^{\prime }$ to represent $\left(y_1,y_2,\cdots ,y_t,t\le \left|X\right|\right)$ directly. Perturbation examples are shown in Figure 1 and Figure 2. After the disturbance is completed, the disturbance data will be sent to the server.

3.

uOUE aggregation

After the server receives the disturbance data sent by the user, the server will count whether each bit in $v^{\prime }$ is 1. Suppose that the number of occurrences of 1 in the $k$-th bit is ${\widehat{F}}_x$; by counting the number of occurrences of 1 in each bit, the server can estimate the probability of the occurrence of $x$ in each original data item, and the statistical analysis results ${\widehat{F}}_x$ close to the frequency distribution of the original data are as follows:

$${\widehat{F}}_x=\left\{\begin{array}{ll}\frac{F_x/n-\beta }{\alpha -\beta },\hfill & if x\in X_S\hfill \\ \frac{F_x}{n\gamma },\hfill & if x\in X_N\hfill \end{array}\right.$$

(6)

4. ESD Aggregation Scheme Based on uOUE

ESD sensitivity analysis involves sensitive and non-sensitive attributes. For example, in an epidemiological record, attributes like {gender, age, symptoms, allergic drugs, chronic diseases} include sensitive (allergic drugs) and non-sensitive attributes (gender and chronic diseases). Sensitive attributes also have sensitive and non-sensitive candidate values. For instance, when examining regional attributes, an individual’s travel destinations might include {Beijing, Shanghai, Guangxi, Hubei}, where Beijing and Shanghai are sensitive candidate values, and the others are not.

To enhance user data privacy, we designed an aggregation scheme based on the uOUE mechanism outlined in Section 3. This approach improves data utility by reducing non-sensitive data protection. It also introduces PHE and BLS-based short signatures [20] to boost data security. PHE enables the Epidemiological Data Control Center (EDCC) to merge encrypted data from multiple ESOs without decryption, ensuring strong data privacy and security while enhancing transmission efficiency. Meanwhile, the BLS-based short signature scheme offers efficient signing and verification, reducing communication and storage costs while maintaining high security and anonymity. This facilitates the efficient collection and aggregation of ESD while safeguarding authentication and data transmission privacy.

4.1. Scheme Model

This scheme is mainly composed of ESOs, epidemiological survey workers (ESWs), and the three-tier structure of the EDCC. The specific scheme model is shown in Figure 3.

• ESOs $\left(U_i,i=1,2,\cdots ,n\right)$: individuals or institutions in the EI survey send locally perturbed, encrypted, and signed data to ESWs. To protect ESO privacy, we apply the uOUE mechanism from Section 4. This involves mapping ESD to binary vectors and applying UE encoding to obtain perturbed data. ESOs then use identity-based signatures to safeguard the perturbed and signed data, ensuring data confidentiality and integrity;
• ESW $\left(ES{W}_h,h=1,2,\cdots ,z\right)$: a personal, system, or private cloud that pre-aggregates ESD and receives perturbed and signed data from ESOs. $ES{W}_h$ aggregates these data after verifying signatures, employs the PHE algorithm, and forwards the report to the data control center, streamlining interactions and communication with the EDCC;
• EDCC $\left(EDCC\right)$: the EDCC is central to the ESD aggregation scheme, acting as the aggregator. It possesses a pair of public and private keys for homomorphic encryption and semantic security, as well as a pair of identity-based public and private keys. Its responsibilities include generating public and private key pairs for ESOs and ESWs, as well as managing the transmission and verification of their data. To facilitate the separation of aggregated ESD, the EDCC constructs a super-increasing sequence for this purpose.

4.2. Scheme Contents

4.2.1. Scheme Initialization

• EI user $U_i\left(i=1,2,\cdots ,n\right)$ owns the attribute set $M=\left(m_1,m_2,\cdots ,m_l\right)$,$m_j\left(j=1,2,\cdots ,l\right)$. Each user $U_i$ has a $d$-dimensional attribute value candidate set $m_{jk}=\left\{m_{j1},m_{j2},\cdots ,m_{jd}\right\}$,$m_{jk}\left(k=1,2,\cdots ,d\right)$ which is the candidate value of the attribute $m_j$. Value $m_{ij}$ is 1 or 0; 1 is the candidate value, 0 indicates that it does not have the candidate value, and $k$ indicates the position corresponding to the candidate value;
• The EDCC selects safety parameter $\mathbb{k}$ and two primes $p,q$, and calculates $N=pq$ and $\lambda =lcm(p-1,q-1)$, where $p=2\stackrel{⌢}{p}+1$, $q=2\stackrel{⌢}{q}+1$, $\left|p\right|=\left|q\right|=\mathbb{k}$; $\stackrel{⌢}{p}$ and $\stackrel{⌢}{q}$ are also two primes. Then, it selects generator $g\in {{\rm Z}}_{N^2}^{\ast }$, defines function $L\left(x\right)=x-1/N$, and calculates the public key $\left(N=pq,g\right)$ and private key $\left(\lambda ,\mu \right)$ of the PHE algorithm, where $\mu ={\left(L\left(g^{\lambda }\mathrm{mod}{N}^2\right)\right)}^{-1}\mathrm{mod}N$;
• The EDCC generates a super-increasing sequence $\left\{a_1,a_2,\cdots ,a_l\right\}$, $a_j\in {{\rm Z}}_{N^2}^{\ast }$, which satisfies $a_j>{\displaystyle \sum _{k=1}^{j-1}{a}_k}\left(j=2,3,\cdots ,n\right)$; the length of $a_j$ is $\left|a_j\right|\ge \mathbb{k}$, $g_j=g^{a_j}$, $j=1,2,\cdots ,l$;
• ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are cyclic multiplicative groups with the same prime order $q_1$, where ${\mathbb{G}}_1$ is generated by $P$, and $\mathrm{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ is a bilinear map. The EDCC randomly selects a scheme private key $s\in Z_{q_1}^{\ast }$ and calculates the scheme public key $P_{pub}=P^s$;
• The EDCC selects three hash functions: $H_1, H_2:{\left\{0,1\right\}}^{\ast }\to G_1$, and $H_3$ ($H_3$ is SHA-256 hash algorithm);
• The EDCC publishes the scheme parameters, as follows:

  $$SP=\left\{M,N,g,P,q_1,e,P_{pub},H_1,H_2,H_3,n,h,\left(g^{a_1},g^{a_2},\cdots ,g^{a_l}\right)\right\}$$

4.2.2. Public–Private Key Pair Generation

ESO $U_i\left(i=1,2,\cdots ,n\right)$ registration, managed by the EDCC, yields a user’s pseudonym and generates their public and private keys using the BLS short signature, as follows:

• $U_i$ obtains the current timestamp $T_i$, calculates the hash value $H_3^i=H_3\left(i{d}_i^U‖T_i\right)$ using their own real identity $i{d}_i^U$, and sends a registration request $\left\{i{d}_i^U,T_i,H_3^i\right\}$ to the EDCC;
• After receiving the user’s registration request, the EDCC checks whether $H_3^i=H_3\left(i{d}_i^U‖T_i\right)$ is established. If yes, the EDCC computes pseudonym $PS$ for user $U_i$ based on their real identity $i{d}_i^U$: the EDCC randomly selects $y_i\in Z_{q_1}^{\ast }$, computes $P{P}_i=P^{s+y_i}$, $P{S}_i=H_2\left(P{P}_i‖i{d}_i^U‖T_i\right)$, and returns pseudonyms $P{S}_i$ and $P{Y}_i=P^{y_i}$ to $U_i$;
• $U_i$ verifies pseudonym $P{S}_i$: ${PS}_i^{\prime }\stackrel{?}{=}P{S}_i$. If equal, use the pseudonym. (7) proves the process.

  $$\begin{array}{cc}\hfill {PS}_i^{\prime }& =H_2\left(\left(P_{pub}\cdot P{Y}_i\right)‖i{d}_i^U‖T_i\right)\hfill \\ & =H_2\left(\left(P^s\cdot P^{y_i}\right)‖i{d}_i^U‖T_i\right)\hfill \\ & =H_2\left(P{P}_i‖i{d}_i^U‖T_i\right)=P{S}_i\hfill \end{array}$$

  (7)
• ESO selects a random number $s_i^U\in Z_{q_1}^{\ast }$ as its private key and publishes its corresponding public key ${PK}_i^U=P^{s_i^U}$;
• $ES{W}_h$ also selects private key $s_h^{ESW}\in Z_{q_1}^{\ast }$ and computes public key $P{K}_h^{ESW}=P^{s_h^{ESW}}$.

4.2.3. uOUE Perturbation

In this stage, the $ES{W}_h$ coverage area has $n\left(0\le n\le \eta \right)$ ESOs. Each ESO has EI information; $U_i$ fills in $x_i=\left(m_1^i,m_2^i,\cdots ,m_l^i\right), m_j^i\le x$, uses the uOUE protocol to encode and perturb to generate noisy data $v_i^{\prime }$, and transmits $v_i^{\prime }$ to $ES{W}_h$;

• $U_i$ fills in $x_i$ and converts $x_i$ into vector $v_j^i=Encode\left(m_j^i\right)$ of length $d=\left|v\right|$, as shown in (8).

  $$v_j^i=Encode\left(m_j^i\right)=\left\{\begin{array}{cc}{v}_{jk}^i\left[m_j^i\right]=1& ,m_j^i=k\\ v_{jk}^i\left[m_j^i\right]=0& ,m_j^i\ne k\end{array}\right.$$

  (8)
• $U_i$ perturbs according to (5) obtain data $v_i^{\prime }$, that is, perturbs each candidate value $v_{jk}^i$ according to its sensitivity to obtain data ${v_{jk}^i}^{\prime }=Perturb(v_{jk}^i)$: for sensitive data $x$, the probability remains unchanged, and the probability of $\beta =\frac{1}{1+e^{\epsilon }}$ deflects. $v_i^{\prime }$ is thus obtained;
• $U_i$ computes ${\vartheta }_i^U=H_1\left(v_i^{\prime },P{S}_i,T_i^U\right)$, signs ${\sigma }_i^U={{\vartheta }_i^U}^{s_i^U}$, and $T_i^U$ is the current timestamp, which can resist message replay attacks;
• $U_i$ sends report $\left\{P{S}_i‖v_i^{\prime }‖{\sigma }_i^U‖T_i^U\right\}$ to $ES{W}_h$ through a secure channel.

4.2.4. Data Pre-Processing

$ES{W}_h$ collects and processes the ESD $v_i^{\prime }$, and aggregates the data of the coverage area to obtain $C_h$. The specific steps are as follows:

• After $ES{W}_h$ receives the report, the effectiveness of $T_i^U$ is checked. The report is sent to $ES{W}_h$ at time point $T_h^{ESW}$ to check whether $T_h^{ESW}-T_i^U\le \Delta T$ is established, and $\Delta T$ is the allowed delay of the scheme. If it holds, then $T_i^U$ is valid, otherwise it terminates;
• $ES{W}_h$ verifies the signature: $e\left({\sigma }_i^U,P\right)\stackrel{?}{=}e\left({\vartheta }_i^U,P{K}_i^U\right)$. If it is equal, this indicates that the report from legal $U_i$ is received by $ES{W}_h$, otherwise it is terminated. (9) proves the correctness of signature verification:

  $$\begin{array}{ll}e\left({\sigma }_i^U,P\right)& =e\left({\vartheta }_i^{{U s}_i^U},P\right)\\ & =e\left({\vartheta }_i^U,P^{s_i^U}\right)\\ & =e\left({\vartheta }_i^U,P{K}_i^U\right)\end{array}$$

  (9)
• $ES{W}_h$ obtains $v_i^{\prime }\left(i=1,2,\cdots ,n\right)$ frequency statistics: $V_{jk}^h={\displaystyle \sum _{i=1}^n{v}_{jk}^i}$. They are stored in the form of an array, $V_{jk}^h=\left\{V^h\left[j\right]\left[k\right],\left(k=1,2,\cdots ,d\right),\left(j=1,2,\cdots ,l\right)\right\}$, $V_j^h=\left\{V^h\left[j\right],\left(j=1,2,\cdots ,l\right)\right\}$;
• $ES{W}_h$ randomly selects $r_h\in Z_{n_1}^{\ast }$ and calculates the ciphertext according to (10):

  $$C_h=g_1^{V_1^h}{g}_2^{V_2^h}\dots g_l^{V_l^h}{r_h}^N\mathrm{mod}{N}^2$$

  (10)
• $ES{W}_h$ calculates ${\vartheta }_h^{ESW}=H_1\left(C_h,i{d}_h,T_h^{ESW}\right)$, ${\sigma }_h^{ESW}={\vartheta }_h^{ESW}{ }^{s_h^{ESW}}$;
• $ES{W}_h$ sends reports $\left\{i{d}_h^{ESW}‖C_h‖{\sigma }_h^{ESW}‖T_h^{ESW}\right\}$ to the EDCC through a secure channel.

4.2.5. Data Aggregation

• The EDCC receives report $\left\{i{d}_h^{ESW}‖C_h‖{\sigma }_h^{ESW}‖T_h^{ESW}\right\}$ to check the effectiveness of $T_h^{ESW}$. If $T_h^{ESW}$ is valid, signature ${\sigma }_h^{ESW}$ is verified; if it is invalid, this indicates that a replay attack was detected and the process is terminated;
• The correctness of ${\sigma }_h^{ESW}$ is verified and compared with $e\left({\sigma }_h^{ESW},P\right)\stackrel{?}{=}e\left({\vartheta }_h^{ESW},P{K}_h^{ESW}\right)$. If the equation is equal, the EDCC receives the report;
• The EDCC aggregates the data according to (11) and (12) to obtain ciphertext $C$.

  $$C_h=g^{a_1{V}_1^h+a_2{V}_2^h+\cdots +a_l{V}_l^h}{r_h}^N\mathrm{mod}{N}^2$$

  (11)

  $$\begin{array}{ll}C& ={\displaystyle \prod _{h=1}^z{C}_h\mathrm{mod}{N}^2}\\ & =g^{a_1{\displaystyle \sum _{h=1}^z{V}_1^h}+a_2{\displaystyle \sum _{h=1}^z{V}_2^h}+\cdots +a_l{\displaystyle \sum _{h=1}^z{V}_l^h}}{\left({\displaystyle \prod _{h=1}^z{r}_h}\right)}^N\mathrm{mod}{N}^2\\ & =g^{a_1{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{ik}^h}}+a_2{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{2k}^h}}+\cdots +a_l{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{lk}^h}}}{\left({\displaystyle \prod _{h=1}^z{r}_h}\right)}^N\mathrm{mod}{N}^2\end{array}$$

  (12)

4.2.6. Data Acquisition

The EDCC decrypts and analyzes the ESD. The specific steps are as follows:

• Let $\mathbb{S}=a_1{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{1k}^h}}+a_2{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{2k}^h}}+\cdots +a_l{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{lk}^h}}$ in $C$, $a_j{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{1k}^h}=U_{jk}}$$\left(j=1,2,\cdots ,l;k=1,2,\cdots ,d\right)$, ${\displaystyle \prod _{h=1}^z{r}_h}=R$, $C=g^{M}R\mathrm{mod}{N}^2$, using $\left(\lambda ,\mu \right)$ to decrypt $C$ according to (13):

  $$W=L\left(C^{\lambda }\mathrm{mod}{N}^2\right)\mu \mathrm{mod}N$$

  (13)

$\mathbb{S}=a_1{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{1k}^h}}+a_2{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{2k}^h}}+\cdots +a_l{\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{lk}^h}}$, let ${\mathbb{Q}}_l=\mathbb{S}$, ${\mathbb{Q}}_{j-1}={\mathbb{Q}}_j\mathrm{mod}{a}_j$, ${ℝ}_j=\left({\mathbb{Q}}_j-{\mathbb{Q}}_{j-1}\right)/a_j={\displaystyle \sum _{h=1}^z{V}_j^h}\left(j=l,l-1,\dots ,2\right)$. So ${ℝ}_1={\mathbb{Q}}_1={\displaystyle \sum _{h=1}^z{V}_1^h}$, ${ℝ}_{jk}={\displaystyle \sum _{h=1}^z{\displaystyle \sum _{k=1}^d{V}_{1k}^h}}$.

2.

The EDCC performs frequency statistics on the ESD.

The candidate value frequency of $m_j$ is ${ℝ}_{jk}$, and the frequency estimate can be calculated by the method shown in (14) and (15).

• $x$ is sensitive data:

  $$F_{j,k}=E\left({\widehat{F}}_x\right)=\frac{\alpha {ℝ}_{jk}+\beta \left(1-{ℝ}_{jk}\right)-\beta }{\alpha -\beta }$$

  (14)
• $x$ is non-sensitive data:

  $$F_{j,k}=E\left({\widehat{F}}_x\right)={ℝ}_{jk}$$

  (15)

5. Scheme Analysis

This section provides a theoretical and comparative analysis of the uOUE protocol, demonstrating its low communication cost and high data utility. It also includes a security proof and comparative analysis of the ESD aggregation scheme based on uOUE.

5.1. Theoretical Analysis of uOUE Protocol

This section will introduce some related properties of the uOUE protocol and give the corresponding theoretical proof.

Theorem 1.

The perturbation process of uOUE conforms to the ULDP model.

Proof of Theorem 1.

For any $v_1,v_2\in X_m$, the probability of outputting the same result $A$ satisfies (16):

$$\begin{array}{ll}\frac{\mathrm{Pr}\left[A{\left|v\right.}_1\right]}{\mathrm{Pr}\left[A\left|v_2\right.\right]}& =\frac{{\displaystyle {\prod }_{k\in \left[m\right]}\mathrm{Pr}\left[A\left[k\right]\left|v_1\right.\right]}}{{\displaystyle {\prod }_{k\in \left[d\right]}\mathrm{Pr}\left[A\left[k\right]\left|v_2\right.\right]}}\\ & \le \frac{\mathrm{Pr}\left[A\left[v_1\right]=1{\left|v\right.}_1\right]\ast \mathrm{Pr}\left[A\left[v_2\right]=0\left|{\left|v\right.}_1\right.\right]}{\mathrm{Pr}\left[A\left[v_1\right]=1\left|v_2\right.\right]\ast \mathrm{Pr}\left[A\left[v_2\right]=0\left|v_2\right.\right]}\\ & ={\displaystyle \prod _{k\in d}\frac{\alpha }{\beta }\cdot \frac{1}{1-\gamma }}=e^{\epsilon }\end{array}$$

(16)

□

The above (16) satisfies the second nature of (3).

In uOUE, for any output $A\in Y_N$, there is only one original data item $x\in X_N$ that can be perturbed into reversible data, that is, if and only if $x\in X$, the reversible data are output with probability $\gamma$. Therefore, uOUE satisfies the properties of (1) and (2) in the ULDP model definition.

In summary, the perturbation process of uOUE conforms to the ULDP model.

Theorem 2.

The result of uOUE frequency estimation is an unbiased estimation.

Proof of Theorem 2.

For original data $x$, their estimated frequency is denoted by ${\widehat{F}}_x$.□

If $x$ is sensitive data, it can be known from the disturbance process that:

$$\begin{array}{ll}\hfill E\left({\widehat{F}}_x\right)& =E\left(\frac{F_x/n-\beta }{\alpha -\beta }\right)\hfill \\ & =\frac{\alpha F_x+\beta \left(1-F_x\right)-\beta }{\alpha -\beta }=F_x\hfill \end{array}$$

(17)

If $x$ is non-sensitive data, it can be known from the disturbance process that:

$$E\left({\widehat{F}}_x\right)=E\left(\frac{F_x}{n\gamma }\right)=\frac{n\gamma F_x}{n\gamma }=F_x$$

(18)

In summary, the frequency estimation result of uOUE is unbiased.

Theorem 3.

In the uOUE protocol, the mean square error of the estimated frequency ${\widehat{F}}_x$ is shown in (19):

$$MSE[{\widehat{F}}_x]=\left\{\begin{array}{c}\frac{4e^{\epsilon }}{n{\left(e^{\epsilon }-1\right)}^2}+\frac{F_x}{n},x\in X_S\\ \frac{e^{\epsilon }+1}{n\left(e^{\epsilon }-1\right)}F\left(x\right),x\in X_N\end{array}\right.$$

(19)

Proof of Theorem 3.

From Theorem 2, Equation (6) is an unbiased estimation, so MSE is equal to the variance of ${\widehat{F}}_x$.

• $x$ is sensitive:$\begin{array}{ll}\hfill \mathrm{MSE}\left[{\widehat{F}}_x\right]& =Var\left[{\widehat{F}}_x\right]=Var\left[\frac{F_x/n-\beta }{\alpha -\beta }\right]\hfill \\ & =\frac{nF\left(x\right)\alpha \left(1-\alpha \right)+n\left(1-F\left(x\right)\right)\beta \left(1-\beta \right)}{n^2{\left(\alpha -\beta \right)}^2}\hfill \\ & =\frac{4e^{\epsilon }}{n{\left(e^{\epsilon }-1\right)}^2}+\frac{F_x}{n}\hfill \end{array}$
• $x$ is non-sensitive:$\begin{array}{ll}\hfill \mathrm{MSE}\left[{\widehat{F}}_x\right]& =Var\left[{\widehat{F}}_x\right]=Var\left[\frac{F\left(x\right)}{n\gamma }\right]\hfill \\ & =\frac{nF\left(x\right)\gamma \left(1-\gamma \right)}{n^2{\gamma }^2}=\frac{1-\gamma }{n\gamma }F(x)\hfill \\ & =\frac{e^{\epsilon }+1}{n\left(e^{\epsilon }-1\right)}F\left(x\right)\hfill \end{array}$

□

5.2. Comparative Analysis of uOUE Protocol

5.2.1. Comparison of Theoretical Results

We evaluate the utility of the uOUE protocol with traditional LDP perturbation methods (GRR [12] and RAPPOR [12]) and existing ULDP perturbation methods (uGRR [15], uRAP [15] and uOLH [16]). Since $MSE\left[\widehat{F}\right]={\displaystyle \sum _{x\in X_S}MSE\left[{\widehat{F}}_x\right]}+{\displaystyle \sum _{x\in X_N}MSE\left[{\widehat{F}}_x\right]}$ and Theorem 3, we compute the MSE for both the proposed and existing LDP mechanisms when $\epsilon =O\left(1\right)$. The results are displayed in

Table 1. Comparison of MSE when $\epsilon =O\left(1\right)$.

Mechanism	MSE	Mechanism	MSE
GRR	$O\left(\frac{d^2}{n{\epsilon }^2}\right)$	uRAP	$O\left(\frac{\left|X_S\right|}{n{\epsilon }^2}+\frac{F_{X_N}}{n\epsilon }\right)$
RAPPOR	$O\left(\frac{d}{n{\epsilon }^2}\right)$	uOLH	$O\left(\frac{\left|X_S\right|}{n{\epsilon }^2}+\frac{F_{X_N}}{n}\right)$
uGRR	$O\left(\frac{{\left|X_S\right|}^2}{n{\epsilon }^2}+\frac{\left|X_N\right|F_{X_N}}{n\epsilon }\right)$	uOUE	$O\left(\frac{\left|X_S\right|}{n{\epsilon }^2}+\frac{F_{X_N}}{n\epsilon }\right)$

, in which $F_{X_N}$ represents the actual total frequency of non-sensitive data.

In practical applications, most of the MSE comes from sensitive data, but sensitive data usually only account for a part of the entire data set. Therefore, by optimizing the utility of the personalized component privacy mechanism, its MSE is significantly smaller than the non-utility mechanism. Our improved mechanism is easy to implement in practical applications and shows better performance in terms of computational cost and communication costs. This mechanism can protect sensitive data more accurately and reduce its impact on the overall error.

In addition to data utility, communication cost is also an important criterion to evaluate whether a mechanism is good or not. We summarize the communication cost of existing ULDP protocols, which can be seen in

Table 2. Communication cost comparison.

Mechanism	MSE	Mechanism	MSE
GRR	$O\left(\log d\right)$	uRAP	$O\left(\left|X_S\right|+\left|X_N\right|\right)$
RAPPOR	$O\left(d\right)$	uOLH	$O\left(\log \left|H\right|+\log \left(g+\left|X_N\right|\right)\right)$
uGRR	$O\left(\log \left|X_S\right|+\left|X_N\right|\right)$	uOUE	$O\left(\left|X_S\right|+\left|X_N\right|\right)$

.

As the privacy budget increases, the error of the six protocols gradually decreases. However, in terms of data utility, uGRR is significantly behind the other two protocols. This difference is mainly due to the use of large data sets in the original data domain in the experiment, which poses a challenge to the adaptability of uGRR. For a wide range of raw data domains, uOLH shows superior communication cost performance. In practical scenarios, especially when the original data domain is moderate, the uOUE protocol is superior in communication overhead. Considering the unique application scenarios and data characteristics of ESD, the uOUE protocol effectively meets the needs of actual scenarios while ensuring privacy protection.

5.2.2. Comparison of Experimental Results

• Experimental Settings:

Our experimental environment is set as follows: the operating system is Windows 10, the processor is Inter i7-1165G7, the memory is 16.0 GB, and PyCharm 2021.3.

We conducted experiments on two data sets: the COVID-19 data set [21,22,23] and the SARS virus data set [24]. Their relevant parameter settings are also given in

Table 3. Simulation parameter settings in Figure 4 and Figure 5.

Synthetic Data Set	COVID-19 Data Set	SARS Virus Data Set
$\epsilon$	$\left(0.0,2.0\right)$	$\left(0.0,2.0\right)$
Data size N	100K	50K
Data domain size d	$\left\{16,32,64,\cdots ,1024\right\}$	$\left\{16,32,64,\cdots ,1024\right\}$

.

2.

The effect of $\epsilon$ on MSE

In this subsection, we compare the four mechanisms under different privacy budgets, as shown in Figure 4 and Figure 5.

When the data domain size $d=256$, with the increase in privacy budget $\epsilon$, the MSE of the four mechanisms decreases gradually. Higher privacy budgets lead to more accurate frequency estimation and improved data utility but reduce privacy protection. This implies that within a given privacy budget, we must strive for precise statistical results while preserving data privacy. Balancing data utility and privacy protection is essential.

In the experiment, we observed that data utility with the GRR mechanism was notably lower than with the other four mechanisms. This occurred because the experiment used relatively large data domains, leading to a higher likelihood of data disturbance in uGRR, which impacted frequency estimation accuracy, in line with GRR’s characteristics.

From the chart, it is evident that uOLH excels with particularly large data domains. However, for mid-sized data domains, the enhanced uOUE mechanism proves superior in practical applications. It offers higher practicality and performance for the ESD aggregation scheme.

3.

The effect of $d$ on MSE

Data domain size $d$ also has a certain impact on data utility. Since the data domain of the real data set is fixed, this section evaluates simulated data sets of different sizes. The value range of $d$ set by the experiment is $\left\{16,32,64,\cdots ,1024\right\}$; the proportion of sensitive data is 0.5, and the privacy budget is $\epsilon =1$. The results are shown in Figure 6.

5.3. Security Proof and Analysis

The security of our scheme is based on the BLS signature. Under the Computational Diffie–Hellman (CDH) assumption and random oracle model, the ESD aggregation scheme based on uOUE is unforgeable under an adaptive chosen message attack.

Theorem 4.

If the CDH problem on ${\mathbb{G}}_1$is difficult, then the ESD aggregation scheme based on uOUE achieves Existential Unforgeability Against Adaptive Chosen Message Attacks (EUF-CMA).

Proof of Theorem 4.

Let $H_1$ be a random oracle. The adversary $\mathcal{B}$ knows that $\left(P,P{K}_{\mathcal{A}}=P^a,\vartheta \right)$ takes $\mathcal{A}$ (attacking BLS short signature scheme) as a subroutine, and the goal is to calculate ${\vartheta }^a$. Suppose that ①$\mathcal{A}$ will not initiate two identical queries on the random oracle; ② if $\mathcal{A}$ requests a signature of message $\overline{M}$, he has asked $\vartheta$ before; ③ if $\mathcal{A}$ outputs $\left(\overline{M},{\sigma }_{\mathcal{A}}\right)$, he has asked $\vartheta$ before. □

Analysis: $\mathcal{B}$ regards $P{K}_{\mathcal{A}}$ as its public key and $a$ as its private key ($\mathcal{B}$ does not actually know $a$), then ${\vartheta }^a$ is $\mathcal{B}$’s signature on a message, that is, ${\sigma }_{\mathcal{A}}=H_1{\left(\overline{M}\right)}^a={\vartheta }^a$, where $\left(\overline{M},{\sigma }_{\mathcal{A}}\right)$ is generated by $\mathcal{A}$’s forgery. $\mathcal{B}$ can take ${\vartheta }^a$ as the hash function value of message ${\overline{M}}_j$, but $\mathcal{B}$ does not know which message’s signature is forged by $\mathcal{A}$, so this needs to be guessed. And $\mathcal{B}$ wants to hide the problem instance $\left(P,P{K}_{\mathcal{A}}=P^a,\vartheta \right)$, so a random number $r$ is first selected and $P{K}_{\mathcal{A}}\cdot P^r$ is sent to $\mathcal{A}$ as the public key.

The specific process is as follows:

1.

Initialization: $\mathcal{B}$ sends generator $P$ and public key $P{K}_{\mathcal{A}}\cdot P^r\in {\mathbb{G}}_1$ of multiplicative group ${\mathbb{G}}_1$ to $\mathcal{A}$, where $r\in Z_{q_1}^{\ast }$. The private key corresponding to $P{K}_{\mathcal{A}}\cdot P^r=P^{a+r}$ is $a+r$. In addition, $j\in \left(1,2,\cdots ,q_H\right)$ is randomly selected as one of its guess values. This $H$-query of $\mathcal{A}$ corresponds to the final forgery result of $\mathcal{A}$;

2.

$H_1$-inquiry (up to $q_H$ times): $\mathcal{B}$ creates a $H^{\mathrm{list}}$, initially empty, with the element type of triple $\left({\overline{M}}_i,y_i,b_i\right)$. When $\mathcal{A}$ starts the $i$-th query (set the query value to ${\overline{M}}_i$), $\mathcal{B}$ answers as follows:

(1)

If there is a term $\left({\overline{M}}_i,y_i,b_i\right)$ corresponding to ${\overline{M}}_i$ in $H^{\mathrm{list}}$, then $y_i$ is the answer;

(2)

Otherwise, $\mathcal{B}$ randomly selects $b_i\in Z_{q_1}^{\ast }$.

if $i=j$, then $y_i=\vartheta P^{b_i}\in {\mathbb{G}}_1$ is calculated. Otherwise, $y_i=P^{b_i}\in {\mathbb{G}}_1$ is calculated.

$y_i$ is taken as the response to the query, and $\left({\overline{M}}_i,y_i,b_i\right)$ is stored in the table;

3.

Signature query (up to $q_H$ times): When $\mathcal{A}$ requests a signature of message $\overline{M}$, let $i$ satisfy $\overline{M}={\overline{M}}_i$; ${\overline{M}}_i$ represents the query value of the $i$-th $H_1$ query. $\mathcal{B}$ answers the question as follows:

(1)

If $i\ne j$, then there is a triple $\left({\overline{M}}_i,y_i,b_i\right)$ in $H^{\mathrm{list}}$. ${\sigma }_i={\left(P{K}_{\mathcal{A}}{P}^r\right)}^{b_i}$ is calculated and the reply to $\mathcal{A}$ is ${\sigma }_i$. Because of ${\sigma }_i={\left(P{K}_{\mathcal{A}}{P}^r\right)}^{b_i}=P^{b_i\left(a+r\right)}=y_i^{\left(a+r\right)}$, so ${\sigma }_i$ is the signature of ${\overline{M}}_i$ with secret $a+r$;

(2)

If $i=j$, the process is interrupted;

4.

Output: $\mathcal{A}$ output $\left(\overline{M},\sigma \right)$. If $M\ne M_i$, $\mathcal{B}$ interrupts; otherwise, $\mathcal{B}$ outputs $\frac{\sigma }{{\vartheta }^{a}P{K_{\mathcal{A}}}^{b_j}{P}^{b_{j}r}}$ as ${\vartheta }^a$. $\sigma =y_j^{\left(a+r\right)}={\left(\vartheta P^{b_j}\right)}^{a+r}={\vartheta }^a{\vartheta }^r{\left(P^a\right)}^{b_j}{P}^{b_{j}r}={\vartheta }^a{\vartheta }^{r}P{K_{\mathcal{A}}}^{b_j}{P}^{b_{j}r}$.

In the above process, if $\mathcal{B}$ is not interrupted, then the simulation of $\mathcal{B}$ is complete.

When guessed correctly, the view of the above reduction is identically distributed with the view of the real attack. This is because of the following two points:

(1)

Each of the $q_H$ $H_1$ queries of $\mathcal{A}$ is answered by a random value, and the response to ${\overline{M}}_i\left(i=1,2,\cdots ,q_H\right)$ is as follows:

• When $i=j$ is answered by $y_i=\vartheta P^{b_i}\in {\mathbb{G}}_1$, it is known that $y_i$ is distributed in ${\mathbb{G}}_1$ according to the randomness of $b_i$;
• When $i\ne j$ is answered by $y_i=P^{b_i}\in {\mathbb{G}}_1$, $y_i$ is also distributed in ${\mathbb{G}}_1$.

In real attacks, $H_1$ is regarded as a random oracle. Therefore, the response to $\mathcal{A}$’s hash query is the same distribution as the response in the real attack.

(2)

The response obtained by $\mathcal{A}$ to the signature query of ${\overline{M}}_i\left(i\ne j\right)$ is signed by the private key $a+r$ corresponding to the public key $P{K}_{\mathcal{A}}\cdot P^r=P^{a+r}$ ($\mathcal{A}$ has obtained this), so the signature response obtained by $\mathcal{A}$ is valid (relative to the public key it obtains).

Therefore, the view of $\mathcal{A}$ in the above reduction is identically distributed with its view in the real attack, that is, the simulation of $\mathcal{B}$ is complete.

If the conjecture of $\mathcal{B}$ is correct, then $\mathcal{B}$ solves the problem in group ${\mathbb{G}}_1$. Because the CDH problem in group ${\mathbb{G}}_1$ is difficult, the signature scheme of this scheme is unforgeable under adaptive chosen message attack.

5.4. Performance Analysis

5.4.1. Functional Comparison

Our scheme achieves multidimensional ESD aggregation, guarantees user identity anonymity, and effectively defends against eavesdropping, active attacks, and differential attacks. Compared to existing schemes, homomorphic-based multiple data aggregation (HB-MDA) [25] could aggregate multidimensional data but not multisubset data. Fault-tolerant and flexible privacy-preserving multisubset data aggregation (FF-PPMA) [26] allows the control center to aggregate subsets, but clients can only report one type of data. Moreover, the DP-based multidimensional and multisubset data aggregation scheme (DP-MMDA) [27] signature mechanism is susceptible to adaptive selection message attacks. As seen in

Table 4. Comparison of privacy-preserving data aggregation schemes.

	Scheme	HB-MDA	FF-PPMA	DP-MMDA	Our Scheme
Function
Multidimensional data aggregation		√	×	√	√
Multidimensional and multisubset data aggregation		×	×	√	√
Identity anonymity		×	×	√	√
Eavesdropping attack		√	√	√	√
Active threat		√	×	√	√
Differential attack		×	×	√	√
EUF-CMA		×	×	×	√

, our proposed scheme offers significant functional advantages and a more comprehensive defense against various security threats.

5.4.2. Computational Overhead

In this section, we will analyze the computational overhead of our scheme, comparing it to HB-MDA, FF-PPMA, and DP-MMDA.

Table 5. Applications in each class.

Sign	Description	Time (ms)
${\mathbb{T}}_e$	Exponential operation on ${{\rm Z}}_N$	11.256
${\mathbb{T}}_m$	Multiplication operation on ${{\rm Z}}_N$	1.032

presents the core operations and their execution times. As per

Table 6. Comparison of computational overhead.

Scheme	Encryption Stage	Decryption Phase	Aggregation Phase
HB-MDA	$\left(l+1\right){\mathbb{T}}_e+l{\mathbb{T}}_m$	$\left(z-1\right){\mathbb{T}}_m$	${\mathbb{T}}_e+{\mathbb{T}}_m$
FF-PPMA	$4{\mathbb{T}}_e+2{\mathbb{T}}_m$	$2\left(z-1\right){\mathbb{T}}_m$	$2{\mathbb{T}}_e$
DP-MMDA	$2{\mathbb{T}}_e+{\mathbb{T}}_m$	$\left(z-1\right){\mathbb{T}}_m$	${\mathbb{T}}_e$
Our scheme	$l{\mathbb{T}}_e+{\mathbb{T}}_m$	$\left(z-1\right){\mathbb{T}}_m$	${\mathbb{T}}_e$

, our scheme accomplishes multidimensional and multiregion aggregation, with less computational expense and greater efficiency during the aggregation and decryption phases compared to the HB-MDA and FF-PPMA schemes.

The HB-MDA scheme takes more time owing to the construction of a super-increasing sequence and the use of the PHE algorithm for encryption. By contrast, the DP-MMDA scheme efficiently reduces computational overhead by employing the Chinese remainder theorem to merge multidimensional data into composite data. The FF-PPMA scheme, not accounting for authentication, does not consider signature generation computational overhead. In this study, we solely compare computational overhead for implementing multidimensional and multisubset data aggregation.

With an increasing number of data aggregations, the DP-MMDA scheme and our scheme excel in multidimensional data aggregation, outperforming the HB-MDA and FF-PPMA schemes in computational performance. Note that the DP-MMDA scheme aggregates grid data and is suitable for accumulating electricity, whereas our ESD aggregation involves multiattribute data, primarily used for statistical analysis. Nevertheless, we effectively integrate and analyze ESD across multiple regions and attributes.

We include a ULDP mechanism, enhancing privacy protection for dimension attributes, which is crucial for ESD analysis. With the LDP mechanism, our scheme demonstrates strong computational performance in multidimensional and multisubset data aggregation, delivering heightened data privacy. Our comprehensive analysis showcases that our scheme adeptly balances computational efficiency and privacy protection in large-scale data aggregation scenarios, thereby offering a valuable practical solution.

6. Summary

In the context of ESD aggregation, we enhance the uOUE protocol aligned with the ULDP model to boost data coding efficiency and accuracy. Concurrently, we devise an epidemiological survey grounded in the uOUE protocol, ensuring heightened accuracy in ESD frequency estimation without compromising sensitive data protection. We aim to mitigate the privacy risk associated with raw patient data traversing channels and servers, ensuring data integrity during processing while preserving privacy. These enhancements enable secure, efficient, and precise ESD aggregation, bolstering result accuracy and reliability while thwarting data tampering and forgery. Our scheme also has potential practical application value in multifunctional data aggregation [27,28,29] and data aggregation combined with wearable medical devices.

Our future research will focus on research into data aggregation technology in big data environments to improve data utility in a personalized model and develop a multilevel privacy ESD aggregation scheme. In the personalized model, we will explore adaptive data processing methods to meet different user scenarios and data needs. In this multilevel privacy-level ESD aggregation scheme design, we will account for varying data sensitivity and privacy requirements, optimizing data information utilization while preserving privacy. These studies will advance the field, providing comprehensive, optimized solutions for data aggregation and privacy protection.